ALERT! DUO – 2 factor authentication vulnerable

duo

Original Publication Date: 20140212
Revision Date: 20140213
Status: Confirmed, Unfixed

Overview
Duo Security has identified an issue in which it is possible to bypass second factor authentication of multisite WordPress deployments which use the Duo WordPress plugin.

Description
In a WordPress deployment using the “multisite” feature, WordPress allows members of different sites in the same network to authenticate through sites they are not a direct member of. In these deployments, if the Duo WordPress plugin is disabled globally but enabled on a Site-by-site basis a member of a 2-FA enabled site may be able to bypass second factor authentication. Consider the following example:

A multisite WordPress deployment has two sites, Site1 and Site2, with the Duo WordPress plugin enabled for Site1 but disabled for Site2. Under normal circumstances, users logging into Site1 will be prompted for primary credentials and second factor authentication; Site2 users will be prompted only for primary…

View original post 267 mots de plus

Publicités

Laisser un commentaire

Choisissez une méthode de connexion pour poster votre commentaire:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s